Metasploit mailing list archives
MS08-067 Win2K3 German lang. support
From: jerome.athias at free.fr (Jerome Athias)
Date: Mon, 13 Apr 2009 09:40:41 +0200
Heya, this is an interesting thread. For non-US pentesters, and also for the static addresses problem of the msf exploit modules. The thing is: when an universal address couldn't be found for an exploit: we'll have to find one for our locale, and we should have to UPDATE this one in the future to keep reliability Here using the opcodes database is interesting. Having a tag in the exploit to know what type of opcode is needed is useful (without to have to parse the module code). So then, you'll be able, for example, to define a locale when using autopwn, and using the opcodes db to retrieve automaticaly an address matching the fingerprinting results. Even if a manual test would be highly recommended. For that i'm playing with an opcodes database built on msfpescans of KBs of all the possible locales. http://www.ja-psi.com/securite-informatique/microsoft-opcodes-database.php For now, i've downloaded the following (7 881) KBs: http://www.ja-psi.com/securite-informatique/KB_list_ok.txt Hope to be able to finish and release this stuff in a near future :p My 2cts /JA christopher.riley at r-it.at a ?crit :
I've finally had the time to look at the current ms08_067_netapi.rb exploit with a mind to finding the return-to-ESI addresses for the German language edition of Win2K3 (sp0-2). SP0 ret => 0x71a034ce SP1 ret => 0x71a03ece SP2 ret => 0x71a03a05 Hopefully this will stop people saying the exploit is only valid on Engllish systems and there is no need to patch other language systems. Hard to believe, but I've heard this arguement recently. These addresses are all based on the existing JMP ESI in ws2help.dll used by the existing Win2K3 English exploit (NO NX) It would be great if anybody on the list using German Win2K3 could recheck my results. Its always good to have a second opinion. Also I'd like to suggest the non-english speaking users on the list to do this for your localized version of Windows server as well. Metasploit supports a lot of WinXP languages but not so many on the server side. For those not aware of how to do this, it's a simple case of using the msfpescan -f <dll to examine> -j <desired JMP> then try out the various results to find a viable option. The exploits have a lot of information on what is required, so reading the code is enough to figure most of it out. when testing NO NX exploits remember to change the /NoExecute= in boot.ini to AlwaysOff. I lost some time to this myself ;) Now to my question. The above results are all well and good (how can I go about getting them into the SVN version ?), however the language pack of the Win2K3 system isn't detected automatically, leaving a manual target setting as the only option. Where can I find the language pack detection and what can I do to help Metasploit better detect ? Is there a signature matching process (as with NMAP) or is it (as I fear) much more complex ? Also what can I do to recreate the NX bypass for the German version. Its not going to be as simple as the NO NX stuff I'm sure. As always, I'm just learning this stuff, so feel free to point out my obvious mistakes. Chris John Riley ---------------------------------------- Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR 0486809, UID ATU 16351908 Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden. Correspondence with above mentioned sender via e-mail is only for information purposes. This medium may not be used for exchange of legally-binding communications. ---------------------------------------- ------------------------------------------------------------------------ _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- MS08-067 Win2K3 German lang. support christopher.riley at r-it.at (Apr 12)
- MS08-067 Win2K3 German lang. support hdm (Apr 12)
- MS08-067 Win2K3 German lang. support christopher.riley at r-it.at (Apr 23)
- MS08-067 Win2K3 German lang. support Jerome Athias (Apr 13)
- AutoPwn locale db - [was] MS08-067 Win2K3 German lang. support Donnie Werner (Apr 13)
- <Possible follow-ups>
- MS08-067 Win2K3 German lang. support christopher.riley at r-it.at (Apr 12)
- MS08-067 Win2K3 German lang. support hdm (Apr 12)